YELLOW SHEET
Office of the State Auditor of Missouri
Claire McCaskill
|
YELLOW SHEET Office of the State Auditor of Missouri |
September 4, 2002
Report No. 2002-85
Department of Revenue could improve plans to recover business operations after a disaster or significant disruption
This audit analyzed the Department of Revenue's capability to resume normal business operations and recover information from automated data systems after a disaster or other disruptive event. Auditors examined disaster recovery planning, staff emergency response training, as well as testing and documentation procedures for backup systems and environmental controls. In the last year, department officials began to develop and implement a continuity plan. Audit results identified areas to enhance this plan.
Some key elements of recovery plans are complete
The department does not have a documented business continuity plan or an information technology recovery plan. As of May 2002, department officials had completed 3 of 10 key steps included in standard recovery plans. Department officials said the current preparedness level is well ahead of other state agencies, but acknowledge a comprehensive plan is far from being complete. (See pages 3 and 6)
Lack of management team and staff training impact preparedness
The department does not have an emergency management team to determine how to support overall data recovery across all business functions. In addition, department personnel are not trained in their specific roles and responsibilities regarding emergency response and business function recovery procedures. The department's formal policies for emergency fire, water, and alarm incidents also lack procedures directly related to the informational technology staff and the computer rooms. (See page 7)
Backup and off-site storage do not ensure data recovery
The department's backup, offsite storage and recovery procedures for all systems and data are not documented and in some cases are not adequate, such as storing some backup data at an employee's personal residence. The department has not tested backup systems or data to ensure they can be recovered after a disaster. (See page 8)
Environmental controls weaknesses exist
Auditors identified weaknesses in the department's environmental controls including: computer facilities not strategically placed to reduce environmental risks, inadequate documentation and testing of controls, improperly inspected fire extinguishers, no controls monitoring humidity and temperature in computer facilities, computer equipment not protected from static electricity, uninterruptible power supplies not formally tested, and no documentation of emergency evacuation plan testing results. These weaknesses put critical information technology resources at risk to environmental hazards. (See page 9)